INTRODUCTION: In a real sense, this report is a “post-mortem” examination of hundreds of data breach victims. Just as the forensic scientist seeks clues to the sequence of events surrounding a crime, the cause of death, and the identity of suspects, the Verizon Business Investigative Response team is focused on examining evidence of computer crime. Common to investigations in both the physical and cyber worlds is a dependence on cold, hard facts. Building a credible case often requires the collection of heaps of data.

To that end, the 2008 Verizon Business Data Breach Investigations Report integrates a vast amount of factual evidence from forensic investigations over the last four years. The study is unique in that it offers an objective, first-hand view of data breaches directly from the casebooks of our Investigative Response team. Tens of thousands of data points weave together the stories and statistics from compromise victims around the world. We have attempted to interpret their tales and it is our hope that your organization will learn from these findings and thereby avoid their end.

Verizon Business Investigative Response

Security breaches and the compromise of sensitive information are a very real concern for organizations worldwide. When such incidents are discovered, response is critical. The damage must be contained quickly, customer data protected, the root cause found, and an accurate record of events and losses produced for authorities. Furthermore, the investigation process must collect this evidence without adversely affecting the integrity of the information assets involved in the crime.

The Verizon Business Investigative Response team has a wealth of experience and expertise, handling over 500 security breach and data compromise engagements between 2004 and 2007. This includes roughly one-third of all publicly disclosed data breaches in 2005 and a quarter of those in both 2006 and 2007.1 This caseload represents a large proportion of total known compromised records during this time frame as well as three of the five largest data breaches ever reported.

During such investigations, the team regularly interacts with governmental agencies and law enforcement personnel from around the world to transition case evidence and set the stage for prosecution. In addition to security breach and data compromise cases, the Investigative Response team provides services such as litigation support, e-discovery, expert witness testimony, chain-of-custody, mock-incident training, and incident response program development.

The expansive statistical data set generated through these activities offers an interesting glimpse into the trends surrounding computer crime and data compromise.

A Primer on Cybercrime

Crucial to the interpretation of the findings presented in this study is an understanding of the forces that drive cybercrime and the market systems in which it takes place.

Easy money is a motivation that is very powerful to anyone and especially so to the criminal. Data theft is not the only way to achieve this end, but it is one of the easiest, safest, and most lucrative. Criminals could, and do, steal wallets and purses to obtain information necessary to commit identity fraud, access bank accounts, and acquire cash, but the yield is low and the risk is high. Conversely, obtaining the same information on thousands of individuals, often without them even knowing it, is a much wiser course of action.

By gaining access to online information systems, the cybercriminal operates with several distinct advantages:

• Higher yield—Vulnerable systems hold information on tens of thousands of victims.
• Less target resistance—When breached, systems tend not to fight back and many do not keep a record of what happened.
• Low target sensitivity—It often takes system owners weeks or even months to discover a breach. This allows the criminal to harvest information over a longer period of time.
• Easier escape—When the jig is up, it is significantly easier for the cybercriminal to run and disappear.

The potential value of engaging in cybercrime would not be realized if a market for stolen data did not exist. The social network that is the by-product of the information black market enables players in the criminal underground (hackers, fraudsters, and organized crime groups) to collaborate with one another to find vulnerable systems, compromise data, and commit fraud. Additionally, this market has made the incentives available to a broader population and has allowed individuals and smaller groups to participate in any phase of the data compromise life cycle they choose.

This combination of powerful motivation and an accessible market has enabled the business of cybercrime to grow quickly and rapidly. Prior to the market’s existence, the hacker may not have had the social network to sell stolen data and the fraudster may have been limited in the volume of data available to them. A marketplace for compromised data facilitates networking among likeminded criminals, lowers barriers to entry, and enables individuals or groups to make money through cybercrime. Ultimately, it allows the pilfered zeros and ones to be converted into cash and material goods.

Download 2008 Data Breach Investigations Report

PDF format, 994KB, 29Pages.

Four Years of Forensic Research. More than 500 Cases.
One Comprehensive Report

A study conducted by the Verizon Business RISK Team
www.verizonbusiness.com
© 2008 Verizon. All Rights Reserved. WP13028

Table of Contents:

Executive Summary . . . . . . . . .  . . . . . . . . . . . . . . . . . .2
Introduction . . . . . . . . . . . . . .. . . . .  . . . . . . . . . . . . . .4
Verizon Business Investigative Response . . . .  . . . . .. . .5
Methodology . . . . . . . . . . . . . . . . . . . . . . . . . .  . . . . . .6
A Primer on Cybercrime . . . . . . . . . . . . . . . . . . . . . . . .7
Results and Analysis . . . . . . . . . . . . .  . . . . . . . . . . . . . .8
Demographics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Sources of Data Breaches . . . . . . .  . . . . . . . . . . . . . 9
Breach Size and Source . . . . . . . . . . . . . . . .. . . . . . . 11
Threat Categories . . . . . . . . . . . . . .. . . .. . . . . . . . . . 13
Attack Diffi culty. . . . . . . . . . . . . . . . . . .  . . . . . . . . . 17
Targeted vs. Opportunistic Attacks . . . . . . . . . . . . . . 18
Common Attack Pathways . . . . . . . . . . . . . . . . . . . . 19
Information Repositories and Channels . . . . . . . . . . . . 20
Types of Data Compromised . . . . . . . . . . . . . . . . . . . 21
Time Span of Data Breach Events . . . . . . . . . .. . . . . . 21
Data Breach Discovery Methods . . . . . . . . . . . . . . . 22
Anti-Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Unknown Unknowns . . . . . . . . . . . . . . . . . . . . . . . . . 24
Conclusions and Recommendations . . . . . . . . . . . . . . .26

Comments (0)

Name

Email

Comment

smaller | bigger

Add Comment